Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS SE 4.1.1.23 with EAP-TLS CRL issue

I'm running into an issue with CRL checking for EAP-TLS. Without the CRL, authentication is working for wireless users. I have the complete certificate chain installed and trusted.When I pull up the CRL page I have the issuers listed. After selecting the issuer, I choose "ignore expiration date" and "CRL is in use". Submitting, gets the following error:

Failed to retrieve or verify CRL. Verify the CRL Distribution URL.

The ADMN.log file (cleaned) generated from running support shows the following:

ADMN 06/18/2007 14:06:55 I 1094 1636 Received HTTP request "POST /certConfig/setup.exe?action=certificateCRLInterface_submitForm HTTP/1.1".

ADMN 06/18/2007 14:06:55 I 0295 1636 Parse of HTTP request stream complete.

ADMN 06/18/2007 14:06:55 I 0000 1636 CRL: CRL: Issuer DOMAIN User CA 1's profile is found in the DB

ADMN 06/18/2007 14:06:55 I 0000 1636 CRL: CRL: Issuer DOMAIN User CA 1's profile is found in the DB

ADMN 06/18/2007 14:06:55 I 0000 1636 CRL: CRL: file D:\Program Files\CiscoSecure ACS v4.1\CRL\DOMAIN User CA 1(18-06-2007@14-06-55).crl successfully downloaded from http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20Intermediate%20CA%201.crl

ADMN 06/18/2007 14:06:55 I 0000 1636 CRL: CRL: successfully parsed CRL file D:\Program Files\CiscoSecure ACS v4.1\CRL\DOMAIN User CA 1(18-06-2007@14-06-55).crl

ADMN 06/18/2007 14:06:55 E 0000 1636 CRL: CRL: failed to find an issuer's certificate for crl D:\Program Files\CiscoSecure ACS v4.1\CRL\DOMAIN User CA 1(18-06-2007@14-06-55).crl

I'm trying to understand how it can fail to find an issuer's certificate when the issuer of the CRL is in the certificate chain I have installed from the issuing CA up through the root CA.

Any ideas?

The following patches are also installed:

Microsoft Security Bulletin MS06-35,36 and MS06-040,41,51

Thanks,

Mark

2 REPLIES
Community Member

Re: ACS SE 4.1.1.23 with EAP-TLS CRL issue

Issue resolved. The CRL that was being parsed from the cert was one level higher than the CRL that needed to be checked. The User CRL was ppointing to the Intermediate CA's CRL. I had to manually change the URL from this:

http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20Intermediate%20CA%201.crl

to this:

http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20User%20CA%201.crl

Mark

Re: ACS SE 4.1.1.23 with EAP-TLS CRL issue

Thanks for sharing it.

424
Views
5
Helpful
2
Replies
CreatePlease to create content